[Security] client-to-client security :: Summary and todo's

Pavel Simerda pavlix at pavlix.net
Sun Aug 24 04:03:10 CDT 2008


On Sun, 24 Aug 2008 09:00:43 +0100
Pedro Melo <melo at simplicidade.org> wrote:

> Hi,
> 
> On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote:
> > UPnP is a working choice, but bad. Just google for it. Since it is
> > based on HTTP attackers found a way to open ports on your
> > router.
> 
> Having a open TCP port is not necessarily a security risk. It only  
> becomes a security risk if the server that listens to that port has  
> security problems.
> 
> Don't blame open TCP ports with mistakes of server programmers.
> 
> 
> > Besides that, I do not like the idea that every app can open
> > ports.
> 
> Well, how are they supposed to accept connections? And please don't  
> mention rfc2549 :).
> 
> Really, I think you should get used to it. With IPv6 (and yes, I'm a  
> believer :) )

+1

> you will (or at least I hope you will) lose that NAT  
> security barrier

A false security barrier for many.

It is ignorant to believe NAT is a security barrier in general, though
some implementations may provide a level of security.

Btw many of these issues only arise when one doesn't properly set up a
firewall and only relies on NAT. 

> that we all grown so fond of, and the
> responsibility of server software implementations will be much much
> greater. Personally, I think we will get user-level firewall APIs:
> you negotiate a Jingle session with your peer and then open the
> necessary ports with a source filter.

We can use firewalls then.

Either way the APIs and IPv6 stuff are the future for general public,
not the current situation.

Maybe we can assume better direct TCP/IP networking when designing
future protocols too, but some will disagree (as they always do).

> but getting back to our topic: you get to authenticate and check  
> certificates on that open TCP connections. If you don't trust that,  
> our protocol is flawed.
> 
> best regards,


-- 

Web: http://www.pavlix.net/
Jabber & Mail: pavlix(at)pavlix.net
OpenID: pavlix.net


More information about the Security mailing list